Commit graph

20614 commits

Author SHA1 Message Date
Radosław Piliszek
2fbb51ceb2 git-grep: ensure bounded default for MatchesPerFile
Analogously to how it happens for MaxResultLimit.

The default of 20 is inspired by a well-known, commercial code
hosting platform.

Unbounded limits are risky because they expose Forgejo to a class
of DoS attacks where queries are crafted to take advantage of
missing bounds.
2024-08-11 14:59:46 +02:00
Earl Warren
cfefe2b6c9
chore(refactor): split repo_service.ForkRepository in two
ForkRepository performs two different functions:

* The fork itself, if it does not already exist
* Updates and notifications after the fork is performed

The function is split to reflect that and otherwise unmodified.

The two function are given different names to:

* clarify which integration tests provides coverage
* distinguish it from the notification method by the same name
2024-08-11 12:40:34 +02:00
Exploding Dragon
87d50eca87 feat: support grouping by any path for arch package (#4903)
Previous arch package grouping was not well-suited for complex or multi-architecture environments. It now supports the following content:

- Support grouping by any path.
- New support for packages in `xz` format.
- Fix clean up rules

<!--start release-notes-assistant-->

## Draft release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Features
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/4903): <!--number 4903 --><!--line 0 --><!--description c3VwcG9ydCBncm91cGluZyBieSBhbnkgcGF0aCBmb3IgYXJjaCBwYWNrYWdl-->support grouping by any path for arch package<!--description-->
<!--end release-notes-assistant-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4903
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Exploding Dragon <explodingfkl@gmail.com>
Co-committed-by: Exploding Dragon <explodingfkl@gmail.com>
2024-08-11 10:35:11 +00:00
Earl Warren
a4da672134 Merge pull request 'git-grep: update comment' (#4921) from yoctozepto/forgejo:git-grep-update-comment into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4921
Reviewed-by: Shiny Nematoda <snematoda@noreply.codeberg.org>
2024-08-11 09:47:58 +00:00
Earl Warren
1b24180327 Merge pull request 'chore(ci): do not remove tags from forgejo-integration' (#4923) from earl-warren/forgejo:wip-integration-cleanup into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4923
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
2024-08-11 09:46:25 +00:00
Earl Warren
f250f89491
chore(ci): do not remove tags from forgejo-integration
If the tag of a stable release is removed from integration, it won't
be properly described when building the test release. It will be:

8.0.0-dev-1648-7b31a541c0+gitea-1.22.0

instead of:

8.0.1-5-7b31a541c0+gitea-1.22.0
2024-08-11 07:22:21 +02:00
Radosław Piliszek
7dd7cc7ebc git-grep: update comment
It was outdated and missing detail.
2024-08-10 16:41:12 +02:00
Earl Warren
a83f5cd0f0 Merge pull request 'chore(ci): remove old releases from forgejo-integration' (#4920) from earl-warren/forgejo:wip-integration-cleanup into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4920
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-08-10 13:18:08 +00:00
Earl Warren
6e94be527a
chore(ci): remove old releases from forgejo-integration
The releases are created when:

* a tag is pushed to the integration repository it will create a
  vX.Y.Z release
* a new commit is pushed to a branch and mirrored to the integration
  repository, it will create a vX.Y-test release named after the branch

When both vX.Y.Z and vX.Y-test release are present, the end-to-end
tests will use vX.Y.Z because it comes first in release sort
order. This ensures that a last round of end-to-end tests is run from
the release built in the integration repository, exactly as it will be
published and signed.

In between stable releases, the vX.Y-test releases are built daily and
must be used instead for end-to-end testing so that problems can be
detected as soon as possible. For that to happen, the stable release
must be removed from the integration repository and this is done 24h
after they were published.

The vX.Y-test releases are removed if they have not been updated in 18
months. As of August 2024 it is possible for a LTS to still be needed
in tests over a year after it was last updated, although it is
unlikely that such a lack of activity happens, there is no reason to
remove the test release before that.
2024-08-10 15:16:00 +02:00
Gusted
6102f48c7d Merge pull request '[CHORE] Fix swagger deprecation message' (#4916) from gusted/swagger-deprecated into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4916
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-08-10 12:50:40 +00:00
Earl Warren
3b82a634c5 Merge pull request 'feat(i18n): make the test string more fun :D' (#4904) from n0toose/i18n-fun-test-string into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4904
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-08-10 06:03:51 +00:00
Earl Warren
f8728ad881 Merge pull request '[BUG] Return blocking errors as JSON errors' (#4914) from gusted/forgejo-block-json into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4914
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-08-10 05:52:27 +00:00
Earl Warren
40e51e4ca7 Merge pull request 'fix(ui): allow unreacting from comment popover' (#4798) from solomonv/forgejo:issue-reaction-fixes into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4798
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-08-10 05:45:55 +00:00
Gusted
851d567776
[CHORE] Fix swagger deprecation message
- Fix "WARNING: item list for enum is not a valid JSON array, using the
old deprecated format" messages from
https://github.com/go-swagger/go-swagger in the CI.
2024-08-10 01:21:13 +02:00
Gusted
784173f7e9 Merge pull request 'Update dependency @stylistic/eslint-plugin-js to v2 (forgejo)' (#4910) from renovate/forgejo-major-eslint-stylistic-monorepo into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4910
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-08-09 23:17:38 +00:00
Renovate Bot
ca00643416 Update dependency @stylistic/eslint-plugin-js to v2 2024-08-09 22:03:02 +00:00
Gusted
6ba4fb5cf6 Merge pull request 'Update vitest monorepo to v2 (forgejo) (major)' (#4913) from renovate/forgejo-major-vitest-monorepo into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4913
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-08-09 20:38:56 +00:00
Gusted
9cc2fdffde Merge pull request 'Update dependency minimatch to v10 (forgejo)' (#4912) from renovate/forgejo-minimatch-10.x into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4912
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-08-09 20:20:27 +00:00
Gusted
967153ba45 Merge pull request 'Update dependency @stylistic/stylelint-plugin to v3 (forgejo)' (#4911) from renovate/forgejo-stylistic-stylelint-plugin-3.x into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4911
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-08-09 20:19:46 +00:00
Gusted
437b84a5f9 Merge pull request 'Update module github.com/editorconfig-checker/editorconfig-checker/v2/cmd/editorconfig-checker to v3 (forgejo)' (#4909) from renovate/forgejo-github.com-editorconfig-checker-editorconfig-checker-v2-cmd-editorconfig-checker-3.x into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4909
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-08-09 20:19:32 +00:00
Panagiotis "Ivory" Vasilopoulos
57a2b99b3c feat(i18n): make the test string more fun :D 2024-08-09 21:51:07 +02:00
Renovate Bot
8039240c26
Update module github.com/editorconfig-checker/editorconfig-checker/v2/cmd/editorconfig-checker to v3 2024-08-09 21:03:37 +02:00
Gusted
d97cf0e854
[BUG] Return blocking errors as JSON errors
- These endspoints are since b71cb7acdc
JSON-based and should therefore return JSON errors.
- Integration tests adjusted.
2024-08-09 20:34:38 +02:00
Renovate Bot
f70d50a8dc Update vitest monorepo to v2 2024-08-09 18:13:31 +00:00
Renovate Bot
ade201095a Update dependency minimatch to v10 2024-08-09 18:13:13 +00:00
Renovate Bot
c541431773 Update dependency @stylistic/stylelint-plugin to v3 2024-08-09 18:12:59 +00:00
Gusted
0f7a98d34d Merge pull request '[CHORE] Fix darwin compatibility' (#4906) from gusted/forgejo-os-compile into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4906
Reviewed-by: Caesar Schinas <caesar@caesarschinas.com>
2024-08-09 17:33:47 +00:00
Solomon Victorino
b8a5ca2c40 fix(ui): allow unreacting from comment popover
- fix selectors for hasReacted
- don't send empty HTML on reaction errors
- add E2E test
2024-08-09 10:17:04 -06:00
forgejo-renovate-action
91115b39a9 Merge pull request 'Update x/tools to v0.24.0 (forgejo)' (#4895) from renovate/forgejo-xtools into forgejo 2024-08-09 15:53:49 +00:00
Gusted
ac8856ac2b
[CHORE] Fix darwin compatibility
- Always convert (syscall.Stat_t).Dev to uint64.
- Resolves #4905
2024-08-09 17:44:41 +02:00
Gusted
d5ba61a104 Merge pull request '[UI] Fix inconsitencies in link/login account page' (#4902) from gusted/forgejo-ui-linking into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4902
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Reviewed-by: Caesar Schinas <caesar@caesarschinas.com>
2024-08-09 15:03:29 +00:00
Earl Warren
a486c684f9
Update x/tools to v0.24.0 (licenses updates) 2024-08-09 16:35:50 +02:00
Marcell Mars
d6647f710f tests additional grant scopes
- parsing scopes in `grantAdditionalScopes`
- read basic user info if `read:user`
- fail reading repository info if only `read:user`
- read repository info if `read:repository`
- if `setting.OAuth2.EnabledAdditionalGrantScopes` not provided it reads
  all groups (public+private)
- if `setting.OAuth2.EnabledAdditionalGrantScopes` provided it reads
  only public groups
- if `setting.OAuth2.EnabledAdditionalGrantScopes` and `read:organization`
 provided it reads all groups
2024-08-09 14:58:15 +02:00
Marcell Mars
8524589d8c show OAuth2 requested scopes in authorization UI
- by displaying the scopes requested for authorization in the OAuth2 app,
  users can make more informed decisions when granting access
2024-08-09 14:58:15 +02:00
Marcell Mars
7dbad27156 id_token & userinfo endpoint's public groups check
- if `groups` scope provided it checks if all, r:org or r:admin are
provided to pass all the groups. otherwise only public memberships
- in InfoOAuth it captures scopes from the token if provided in the
header. the extraction from the header is maybe a candidate for the
separate function so no duplicated code
2024-08-09 14:58:15 +02:00
Marcell Mars
4eb8d8c496 OAuth2 provider: support for granular scopes
- `CheckOAuthAccessToken` returns both user ID and additional scopes
- `grantAdditionalScopes` returns AccessTokenScope ready string (grantScopes)
   compiled from requested additional scopes by the client
- `userIDFromToken` sets returned grantScopes (if any) instead of default `all`
2024-08-09 14:58:15 +02:00
Renovate Bot
99d78fb9e7 Update x/tools to v0.24.0 2024-08-09 10:25:53 +00:00
forgejo-renovate-action
3301e7dc75 Merge pull request 'Update dependency vue to v3.4.37 (forgejo)' (#4893) from renovate/forgejo-patch-vue-monorepo into forgejo 2024-08-09 09:22:36 +00:00
Gusted
75b3645bc3
[UI] Fix inconsitencies in link/login account page
- Add the 'correct' styling for column on the link account page, this
follows what was done for the login/register page in 629ca22a97.
- Move some if conditions to be outside of the container which allocates
space on the page, this ensures it's not being shown if it's not needed.
- Resolves #4844
2024-08-09 10:52:17 +02:00
Renovate Bot
000f3562c2 Update dependency vue to v3.4.37 2024-08-09 08:07:03 +00:00
Ivan Shapovalov
012a1e0497 log: journald integration (#2869)
Provide a bit more journald integration. Specifically:

- support emission of printk-style log level prefixes, documented in [`sd-daemon`(3)](https://man7.org/linux/man-pages/man3/sd-daemon.3.html#DESCRIPTION), that allow journald to automatically annotate stderr log lines with their level;
- add a new "journaldflags" item that is supposed to be used in place of "stdflags" when under journald to reduce log clutter (i. e. strip date/time info to avoid duplication, and use log level prefixes instead of textual log levels);
- detect whether stderr and/or stdout are attached to journald by parsing `$JOURNAL_STREAM` environment variable and adjust console logger defaults accordingly.

<!--start release-notes-assistant-->

## Draft release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Features
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/2869): <!--number 2869 --><!--line 0 --><!--description bG9nOiBqb3VybmFsZCBpbnRlZ3JhdGlvbg==-->log: journald integration<!--description-->
<!--end release-notes-assistant-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2869
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Ivan Shapovalov <intelfx@intelfx.name>
Co-committed-by: Ivan Shapovalov <intelfx@intelfx.name>
2024-08-09 07:49:13 +00:00
Earl Warren
a72763f5a3 Merge pull request 'docs: add links to the v7.0.7 & v8.0.1 release notes' (#4899) from earl-warren/forgejo:wip-release-notes into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4899
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
2024-08-09 07:34:40 +00:00
Earl Warren
ae85e285db Merge pull request 'disallow javascript: URI in the repository description' (#4896) from earl-warren/forgejo:wip-xss-repo-description into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4896
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
2024-08-09 05:56:49 +00:00
Earl Warren
b87b38d3b9
docs: add links to the v7.0.7 & v8.0.1 release notes
They are now published in the milestone in part manually edited and in
part generated by the release notes assistant. Maintaining a single
file with all the release notes is prone to conflicts and requires
manual copy/pasting that is of little value.

It may make sense to transition to a release notes directory in which
the release notes assistant could create one file per release, with a
copy of the release notes edited in the milestone. This could be more
conveniently backported and would not require human intervention.
2024-08-09 07:26:50 +02:00
Gusted
bb448f3dc2
disallow javascript: URI in the repository description
- Fixes an XSS that was introduced in
https://codeberg.org/forgejo/forgejo/pulls/1433
- This XSS allows for `href`s in anchor elements to be set to a
`javascript:` uri in the repository description, which would upon
clicking (and not upon loading) the anchor element execute the specified
javascript in that uri.
- [`AllowStandardURLs`](https://pkg.go.dev/github.com/microcosm-cc/bluemonday#Policy.AllowStandardURLs) is now called for the repository description
policy, which ensures that URIs in anchor elements are `mailto:`,
`http://` or `https://` and thereby disallowing the `javascript:` URI.
It also now allows non-relative links and sets `rel="nofollow"` on
anchor elements.
- Unit test added.
2024-08-09 07:04:01 +02:00
Earl Warren
d7cb2ab3b2 Merge pull request 'feat(performance): remove BranchName in /:owner/:repo/commit/:commit' (#4891) from emilylange/feat-performance-remove-branchname into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4891
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-08-08 21:24:51 +00:00
emilylange
c1f85ce27b
feat(performance): remove BranchName in /:owner/:repo/commit/:commit
`BranchName` provides the nearest branch of the requested `:commit`.

It's plenty fast on smaller repositories.
On larger repositories like nixpkgs, however, this can easily take 2-3
seconds on a modern machine on a NVMe.

For context, at the time of writing, nixpkgs has over 650k commits and
roughly 250 branches.

`BranchName` is used once in the whole view:
The cherry-pick target branch default selection.

And I believe that's a logic error, which is why this patch is so small.

The nearest branch of a given commit will always be a branch the commit
is already part of. The branch you most likely *don't* want to
cherry-pick to.

Sure, one can technically cherry-pick a commit onto the same branch, but
that simply results in an empty commit.

I don't believe this is intended and even less so worth the compute.

Instead, the cherry-pick branch selection suggestion now always uses
the default branch, which used to be the fallback.

If a user wants to know which branches contain the given commit,
`load-branches-and-tags` exists and should be used instead.

Also, to add insult to injury, `BranchName` was calculated for both
logged-in and not logged-in users, despite its only consumer, the
cherry-pick operation, only being rendered when a given user has
write/commit permissions.

But this isn't particularly surprising, given this happens a lot in
Forgejo's codebase.
2024-08-08 22:29:42 +02:00
Earl Warren
7ac390bcb4 Merge pull request 'chore(ci): optimize end-to-end runs [skip ci]' (#4888) from wip-ci-end-to-end into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4888
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
2024-08-08 20:24:10 +00:00
Yaroslav Halchenko
5ae2dbcb14 Adjust codespell config + make it fix few typos which sneaked in since addition of codespell support (#4857)
Now that my colleague just posted a wonderful blog post https://blog.datalad.org/posts/forgejo-runner-podman-deployment/ on forgejo runner, some time I will try to add that damn codespell action to work on CI here ;)  meanwhile some typos managed to sneak in and this PR should address them (one change might be functional in a test -- not sure if would cause a fail or not)

### Release notes

- [ ] I do not want this change to show in the release notes.
- [ ] I want the title to show in the release notes with a link to this pull request.
- [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4857
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Yaroslav Halchenko <debian@onerussian.com>
Co-committed-by: Yaroslav Halchenko <debian@onerussian.com>
2024-08-08 16:07:35 +00:00
Earl Warren
1f8e6b6e31
chore(ci): optimize end-to-end runs
* specify the version targeted by the pull request. The end-to-end
  tests previously compiled all known branches which was a waste. The
  pull request now must specify which version it is targeting so that
  only this version is recompiled and used for testing.
* when building the daily releases, use the release from the
  integration organization to ensure the tests are run against the
  latest build. Clarify in a comment why the lookup order of
  organizations is reversed in this particular case.

Refs: https://code.forgejo.org/forgejo/end-to-end/pulls/239
2024-08-08 17:53:12 +02:00